Parties Inch Closer to Agreement on Federal Cyberlaw

Whether the voluntary approach to developing cybersecurity protection standards for business use carries through to compliance with those standards remains an open question. The private sector may be comfortable with the emphasis on a voluntary approach so far, and thus be hopeful that any eventual legislation will retain that approach. Still, a bit of caution remains.

By John K. Higgins
Jul 31, 2013 5:00 AM PT

Both the White House and Congress have asserted that protecting the nation's resources from cyberattacks is a top priority. Yet enacting legislation designed to enhance security for critical infrastructure components such as water, power, telecom and transport facilities that is acceptable to both political parties has been a struggle.

A 2012 legislative effort failed, and this year the Obama administration said it would not endorse the Cyber Intelligence Sharing and Protection Act passed by the House in April. The administration objected to CISPA provisions on private sector responsibilities for sharing cyberdata and reiterated its position of requiring the reporting of data breaches. Differences over the degree to which certain cyberprotection practices should be voluntary or mandatory remain.

With the caveat that reading the legislative tea leaves in Washington is always a bit risky, a couple of items have surfaced that look intriguing in terms of resolving differences.

One is a bill that was introduced last week by Sen. Jay Rockefeller, D-W.Va., and Sen. John Thune, R-S.D., which addresses cybersecurity issues. Rockefeller and Thune are the chairman and ranking member of the Senate Commerce Committee, respectively.

The proposed bill focuses on the role of the National Institute of Standards and Technology in developing guidance for industry to use in meeting cyberthreats. One important element of the proposal calls upon NIST to develop "a voluntary, industry-led set of standards, guidelines, best practices, methodologies and processes to reduce cyberrisks to critical infrastructure."

A Possible Olive Branch

The emphasis on a voluntary, industry-led initiative could go a long way to reducing either real or perceived anxiety by the business community over the prospect of a heavy handed, government-dominated regulatory approach to cybersecurity.

The bill would create a "NIST-facilitated, industry-driven process for developing a set of voluntary cybersecurity standards for critical infrastructure," according to a Commerce Committee statement. The standards will not duplicate or conflict with existing cyberrequirements or regulatory processes, and they will be non-regulatory, non-prescriptive and technology neutral.

The bill would strengthen existing federal cybersecurity research directed by the White House and broaden the range of programs, including research on how to design, build, test and verify complex software-intensive systems that are secure and reliable when first deployed, as well as programs related to secure third-party software. The proposal also includes programs dealing with improving the cyberworkforce and cybereducation, along with increasing public awareness of cyber-risks and cybersecurity.

To a large degree, the Rockefeller-Thune proposal codifies into law many of the components of an executive order issued by President Obama, which deals with cybersecurity issues, especially those involving federal agencies. Components of the order stressed voluntary efforts by business, and cooperation between the private and public sector.

The voluntary approach in the Senate proposal puts some legislative heft behind that approach. "The proposal seems to have clearly minimized the emphasis on a directive/mandatory approach in favor of volunteer standard setting," Paul Rosenzweig, founder of
Red Branch Law and Consulting, told the E-Commerce Times.

"Notably, the bill does not have any mention of mandatory reporting through the Securities and Exchange Commission, nor does it require preferences in purchasing. It is truly a good compromise," he said.

Some proposals have required private sector firms to make certain cybersecurity disclosures in their financial reports to the SEC.

"While our concern regarding the executive order remains -- especially given the not-so-voluntary nature of some of the order's other provisions -- this bill seems to do no harm with what appears to be a truly voluntary system," David Inserra, research assistant for national security at
The Heritage Foundation, told the E-Commerce Times.

"The direction taken by Senators Rockefeller and Thune is very positive. Their bill appropriately focuses on managing and prioritizing risk, and it also promotes innovation," Tim Molino, director of government relations at the Business Software Alliance, told the E-Commerce Times.

"Additionally, BSA appreciates the emphasis on promoting cybersecurity research and believes NIST's enhanced role is the right approach," he said.

NIST Reaches Out

The second factor that indicates possible progress for enactment of a federal cyberlaw is the work NIST is already doing in response to the executive order in developing a framework for generating cybersecurity operating standards and best practices -- a process the Senate bill would reinforce. Again, the effort stresses a voluntary private sector approach.

NIST has conducted intense outreach efforts to obtain input from a broad array of private sector sources. The agency has released a preliminary core structure for the framework plus a user's guide and an executive overview that describes the purpose, need and application of the framework in business.

Reflecting comments that emphasized the importance of executive involvement in managing cyber-risks, the framework is designed to help business leaders evaluate how prepared their organizations are to deal with cyberthreats and their impacts, NIST said.

"We are pleased that many private-sector organizations have put significant time and resources into the framework development process," said Adam Sedgewick, senior information technology policy advisor at NIST.

"We believe that both large and small organizations will be able use the final framework to reduce cyber-risks to critical infrastructure by aligning and integrating cybersecurity-related policies and plans, functions and investments into their overall risk management," he added.

NIST hopes to have the complete framework ready by Oct. 1.

"So far, BSA believes the NIST process has been very successful. NIST's outreach and understanding of the complexity of the issue have been refreshing. BSA looks forward to continuing to work with NIST as this process moves forward," Molino said.

Many information technology companies either individually or through trade associations have been actively engaged in a dialog with NIST and continue to remain engaged in the process.

"It was great to see so much synergy between the public and private sector working on the common problem to address cybersecurity," said Nikolay Chernavsky, senior manager of information security for Amgen, at a conference conducted by NIST in San Diego in early July.

Still Some Caution in the Wind

Just recently, the Obama administration revealed that in addressing the cybersecurity threat, it was considering the use of incentives to further spur business cooperation. No specific proposals have yet emerged, but the range of options included insurance protection, grants and subsidies, and tax breaks.

Whether the voluntary approach to developing cybersecurity protection standards for business use carries through to compliance with those standards remains an open question. The private sector may be comfortable with the emphasis on a voluntary approach so far, and thus be hopeful that any eventual legislation will retain that approach.

Still, a bit of caution remains. For all of the Obama administration's promotion of private and public sector cooperation, a section of the February executive order remains troublesome, according to The Heritage Foundation's Inserra.

That section "effectively directs sector specific agencies to take the voluntary framework and make it mandatory for all their sectors through either existing rules or additional rulemaking," he wrote in a blog post earlier this year.

"It is our understanding that creating new regulations is neither the intent nor the goal of the legislation," said Dorothy Coleman, vice president for tax, technology and domestic economic policy at the National Association of Manufacturers, at a hearing last week on the proposed Senate legislation.

"On behalf of the NAM's 12,000 members, this is a point I cannot stress strongly enough," she told Sen. Rockefeller. "Manufacturers will not support any legislation that creates a duplicative regulatory regime that puts undue burdens on manufacturers."

John K. Higgins is a career business writer, with broad experience for a major publisher in a wide range of topics including energy, finance, environment and government policy. In his current freelance role, he reports mainly on government information technology issues for ECT News Network.